If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Could you not filter it to look for specific things like port 80 or winroute.cz? The only tool that I know that could filter as it's collecting would be something like Snort IDS where you can create your own ruleset and have it only detect those that match that pattern. All others it just ignores and let's pass.

That's essentially what I did with windump. I filtered on traffic originating from my box, with a destination other than my internal net. Since I use a proxy server, all legitimate web traffic goes there, which is internal, so there wasn't much going directly outside. I was able to watch the traffic I sent out. I've got that problem pretty much under control.

What I'm still interested in, though, is something that would monitor the app that sent the packets. Your example of using snort, for instance, would enable me to see which computer is sending the packets, but that still doesn't tell me which application running on my machine is responsible for sending that packet.''

Hmm... maybe a HIDS would, though. But I'm really looking for a forensic tool that can be lightly deployed on a given box to watch what app or process is generating it. I think that could be a useful tool. (Wish I had the coding skills...)

ok jsut for a bit more information on the "who is" stuff: (See below) But here it is in a nut shell. You stated you are "back in the states" You where using a ISP in Europe. Mostly likely in Czech Rep...? ns.winroute.cz is a DNS server on the network. It is a public server and is available for DNS lookups. You can replicate this inofrmation by going to command prompt Type nslookup (W2K or better) Type: server ns.winroute.cz hit enter and your can do DNS lookup on that server. Why port 80.... Can't tell you that one but all in all I would not worry about this...

Registrant:
This is the RIPE Whois secondary server.
The objects are in RPSL format.
Please visit http://www.ripe.net/rpsl for more information.

The object shown below is NOT in the RIPE database.
It has been obtained by querying a remote server:
(whois.nic.cz) at port 43.
To see the object stored in the RIPE database
use the -R flag in your query

REFERRAL START
This whois looks up records in off-line generated RIPE
databases maintained by the Czech Network Information
Center. Results needn't contain all available information,
see also on-line full information search service at the
web-site http://www.nic.cz/